the art of installing ssl cert for apache on ubuntu
I'm familiar with acquiring and installing a cert for apache, but I'm hoping to gain a deeper understanding. In particular, I'm fuzzy on the web of trust, the intermediate cert, and the behavior of browsers in respect to validating a cert.
I created a private key, example.com.key, and used it to create a CSR, which I submitted to digicert where I obtained a ZIP file with the cert, example.com.crt, and another file, IntermediateCA.crt. I altered my default-ssl apache config to refer to these files like so: Code:
// the cert we bought Code:
Root installed on the server. For best practices, remove the self-signed root from the server. I suspected it might be related to the SSLCertificateChainFile setting and after some trial and error, I downloaded DigiCertSHA2ExtendedValidationServerCA.pem from this page (which is pretty confusing) and then I altered my apache default-ssl config like so: Code:
SSLCertificateChainFile /etc/ssl/xxx-cert/DigiCertSHA2ExtendedValidationServerCA.pem 1) why this fixed the problem 2) what is the difference between the two files 3) why Digicert would have given me the IntermediateCA.crt file they did when it would cause that error on their very own ssl cert checker tool. 4) what browser behaviors what underlying cert validation process might have found to cause the complaint. If anyone could help clear up the role of the SSLCertificateChainFile a bit -- or refer me to an explainer on the ssl validation process, I'd be most grateful. |
I also checked my installation using Qualys/SSL Labs' test and , while it gets an "A" rating, I see a few warnings:
Under the heading Certificate #1: RSA 2048 bits (SHA256withRSA) in its subsection Server Key and Certificate #1 It has "DNS CAA" highlighted in orange with a value of "No" and a link here. I understand that I need to create a DNS record but I'm having a bit of trouble understanding the exact values to put in this record and the implications of these values. In particular, I expect to install a wildcard cert at some point to support language subdomains. I'm not sure if I should use the issuewild property or whatever. I found a helper tool but would appreciate some advice. Given that I probably want to issue a wildcard certificate via Digicert, that tool returns this for me: Code:
example.com. CAA 0 issue "Digicert.com" 1) why 3 entries? 2) does case matter? 3) what is the impact of the issuewild property tag? 4) what does the value of zero do? |
More issues I've noticed. In the ssl labs report, it looks like Java 8u161 client choked on the cert:
Code:
Java 8u161 - Client aborts on SNI unrecognized_name warning |
All times are GMT -5. The time now is 05:01 PM. |